A company manager stated that the company network was invaded and the invader was able to get sensitive information, like bank account data, passwords, personal info, etc.

I know that I need first stop current and future invasions (unplug the internet cable), then later nuke all data and reinstall all OSes and software in each PC.

But I'm worried about if is it possible track some info about the invader before the reinstall. What is the basic or common places in the system where can I find logs, traces or tips of the invader and their steps? There are some recommended tool to perform that job?

EDIT - Most PCs are running Windows based OSes (mostly WinXP or Seven). All PCs connected to basic network hub-switch and the network is linked to internet via ADSL Router. Probably no logging (unless Windows let some kind of network logging activated as default - it is included in my question)

3 Answers
3

The secret to discovering how you were hacked usually lies in preparation before the attack rather than after, configuring all systems to send logs to a central log server for example. This is because many types of malware packages delete logs to cover their tracks and make recovery difficult; if systems forward their logs to a central server it helps preserve the record. If there's no central logging it's possible there's nothing for you to find, but here's how I'd attack the problem anyhow.

The ultimate goal should be to establish a timeline, of which systems were hacked, how they were hacked, how the infection spread, and how long it was until the attack was detected and the systems taken off-line. All the information you gather should go into this timeline. Once the timeline is complete you can then use the timeline to reconstruct the sequence of events and the likely impact.

If your office is on an ADSL line then it's unlikely you have any externally-facing servers, most likely all connections originate from the inside of the network. This means it is unlikely that anyone penetrated your network from the outside, most likely somebody was infected by opening a malware file sent in an email (most likely a PDF), or being tricked into browsing to a hacked site. It is also possible that somebody brought the malware in on a USB stick or other type of removable media. ADSL routers are generally poor at logging (if they are even configured to do it), so I would first focus on the anti-virus and windows logs and use any available router logs to supplement.

If you have a central AD server, AV server, and the like then the job will be easier. If not you're going to have to look at individual machines affected. You didn't state how many systems have been hacked, so this may be easy or hard to do depending on the scale of the problem. I'd start with AV logs, expecting that the AV detected the malware but failed to protect the systems. If you don't find anything there look at the system logs. Keep an eye out for java or adobe reader starting, and unexpected crashes/reboots. Events like that point to successful infections.

Once you have determined which systems were affected and then you can then look at your ADSL router logs (providing you have any), and see what the infected systems did before and after infection. The before will help determine how the system was infected (by downloading an email, going to a specific website), and the after may shed light on what the malware was (ie what command and control systems the malware connected to) and what it did. It's unlikely you will be able to determine exactly what information was lost, but at least by knowing that the malware was, how long the systems were infected, and how much information was transferred you can have an idea of the impact.

Because your organization seems small, try creating images of all the desktops so that you (or someone else) can investigate the logs and file systems for anything of value off-line. This way, you can retain forensic data on each machine, and get your users back up and running quickly.

I would also grab whatever logs are available from the switches and ADSL router, as well as all server logs and logs from Anti-Virus, firewalls, or other security-related software/devices.

As for all the other 'Incident Response' issues, there are many, many things you can do to prevent further breaches, and to have systems in place to provide much more data if the problem happens again. But that seems beyond the scope of your question.

I'm not going to ask how he/she came by that information - but you should.

Leaving these aside for now - if your role is to ensure the security of the systems then that also means ensuring their availability. Given the scale of the operation, holding back systems for evidence gathering rather than re-commissioning them is perhaps not the best tactic. What do you expect to achieve? It's likely that it will simply be impractical to pursue an investigation beyond the walls of the office.

Also, spending a lot of time trying to investigate how the "invader" got into the network should only improve your knowledge of how to prevent the same attack from occurring again - attackers only need to find a single vulnerability - but to defend a network you need to eliminate all the vulnerabilities.

Having said that, it's quite simple to copy the event logs (NB check for .evtx files as well as .evt) elsewhere before wiping/reinstalling.